MEMORANDUM OF UNDERSTANDING 
BETWEEN 


THE PERSONAL DATA PROTECTION COMMISSION 
OF THE REPUBLIC OF SINGAPORE 


AND 


THE INFORMATION COMMISSIONER FOR THE 
UNITED KINGDOM 


FOR COOPERATION IN 


THE ENFORCEMENT OF LAWS PROTECTING 
PERSONAL DATA 


The Personal Data Protection Commission of the Republic of Singapore 
(hereinafter referred to as “PDPC”) and the Information Commissioner for 
the United Kingdom (hereinafter referred to as “the Commissioner"), 
hereinafter referred to individually as the “Participant” and collectively 
referred to as the "Participants", 


Reaffirming their intent to deepen their existing relations and to promote 
exchanges in personal data protection; 


Recognising the need to foster closer collaboration and cooperation in 
personal data protection; 


Confirming that nothing in this Memorandum of Understanding 
(hereinafter referred to as “this MOU”) should be interpreted as imposing 
a requirement on the Commissioner to cooperate with PDPC in 
circumstances where doing so would breach the Commissioner’s legal 
responsibilities, including under the retained EU law version of the General 
Data Protection Regulation of the European Union (“GDPR”); 


Confirming that nothing in this MOU should be interpreted as imposing a 


requirement on the PDPC to cooperate with the Commissioner in 
circumstances where doing so would breach its legal responsibilities, 
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including under the Personal Data Protection Act 2012 of the Republic of 
Singapore (“PDPA”), 


HAVE REACHED the following understanding on a framework for 
cooperation which sets out non-binding broad principles of collaboration 
and the legal framework governing the sharing of relevant information and 
intelligence between the Participants: 


1) 


2) 


PARAGRAPH 1 
SCOPE OF COLLABORATION 


The Participants understand and acknowledge that it is in their common 
interest to collaborate in accordance with this MOU to: 


a) Ensure that the Participants are able to deliver the regulatory 
cooperation necessary to underpin their data based economies and 
protect the fundamental rights of citizens of the United Kingdom and 
the Republic of Singapore respectively, in accordance with the 
applicable laws of the Participants’ respective countries; 

b) Cooperate with respect to the enforcement of their respective 
applicable data protection and privacy laws; 

c) Keep each other informed of developments in their respective 
countries having a bearing on this MOU; and 

d) Recognise parallel or joint investigations or enforcement actions by 
the Participants as priority issues for cooperation. 


For this purpose, the Participants may jointly identify one or more areas 
or initiatives for cooperation. Such cooperation may include: 


a) sharing of experiences and exchange of best practices on data 
protection policies, education and training programmes; 

b) cooperation in providing regulatory guidance in both jurisdictions to 
support innovation in technology or business models (e.g. via cross- 
jurisdiction regulatory sandboxes or other similar mechanisms), with 
the Commissioner providing advice on United Kingdom information 
law and the PDPC providing advice on Singapore data protection law; 

c) implementation of joint research projects; 

d) exchange of information and research collaborations regarding the 
development and implementation of governance models for artificial 
intelligence and other emerging technologies; 
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e) exchange of information (excluding personal data) involving potential 
or on-going investigations of organisations in the respective 
jurisdictions in relation to a contravention of data protection or do- 
not-call legislation; 

f) joint investigations into cross border personal data incidents involving 
organisations in both jurisdictions (excluding sharing of personal 
data); 

g) convening bilateral meetings annually or as mutually decided 
between the Participants; and 

h) any other areas of cooperation as mutually decided by the 
Participants. 


PARAGRAPH 2 
ROLE AND FUNCTION OF THE COMMISSIONER 


1) The Commissioner is a corporation sole appointed by Her Majesty the 
Queen under the Data Protection Act 2018 of the United Kingdom 
(hereinafter referred to as “DPA”) to act as the United Kingdom’s 
independent regulator to uphold information rights in the public interest, 
promote openness by public bodies and data privacy for individuals. 


2) The Commissioner is empowered to take a range of regulatory action 
for breaches of the following legislation (as may be amended, including 
aS a consequence of the United Kingdom's withdrawal from the 
European Union), hereinafter referred to by their acronyms as indicated 
below: 


a) DPA; 

b) GDPR; 

c) Privacy and Electronic Communications (EC Directive) Regulations 
2003 (“PECR”); 

d) Freedom of Information Act 2000 (“FOIA”); 

e) Environmental Information Regulations 2004 (“EIR”); 

f) Environmental Protection Public Sector Information Regulations 2009 
(“INSPIRE Regulations”); 

g) Investigatory Powers Act 2016; 

h) Re-use of Public Sector Information Regulations 2015; 

i) Enterprise Act 2002; 

j) Security of Network and Information Systems Directive (“NIS 
Directive”); and 
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k) Electronic Identification, Authentication and Trust Services 
Regulation (“eIDAS”). 


3) The Commissioner has a broad range of statutory duties, including 


monitoring and enforcement of data protection laws, and promotion of 
good practice and adherence to the data protection obligations by those 
who process personal data. These duties sit alongside those relating to 
the other enforcement regimes outlined in paragraph 2(4) below. 


4) The Commissioner’s regulatory and enforcement powers include: 


5 


xo 


a) conducting assessments of compliance with the DPA, GDPR, PECR, 
eIDAS, the NIS Directive, FOIA and EIR; 

b) issuing information notices requiring individuals, controllers or 
processors to provide information in relation to an investigation; 

c) issuing enforcement notices, warnings, reprimands, practice 
recommendations and other orders requiring specific actions by an 
individual or organisation to resolve breaches (including potential 
breaches) of data protection legislation and other information rights 
obligations; 

d) administering fines by way of penalty notices in the circumstances 
set out in section 155 of the DPA; 

e) administering fixed penalties for failing to meet specific obligations 
(such as failing to pay the relevant fee to the Commissioner); 

f) issuing decision notices detailing the outcome of an investigation 
under FOIA or EIR; 

g) certifying contempt of court should an authority fail to comply with 
an information notice, decision notice or enforcement notice under 
FOIA or EIR; and 

h) prosecuting criminal offences before the Courts. 


Regulation 31 of PECR, also provides the Commissioner with the power 
to serve enforcement notices and issue monetary penalty notices as 
above to organisations who breach PECR. This includes, but is not 
limited to, breaches in the form of unsolicited marketing which falls 
within the ambit of PECR, including automated telephone calls made 
without consent, live telephone calls which have not been screened 
against the Telephone Preference Service, and unsolicited electronic 
messages (Regulations 19, 21 and 22 of PECR respectively). 
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PARAGRAPH 3 
ROLE AND FUNCTION OF THE INFO-COMMUNICATIONS MEDIA 
DEVELOPMENT AUTHORITY AND PDPC 


1) The Info-communications Media Development Authority is established 
under section 3 of the Info-communications Media Development 
Authority Act 2016 of the Republic of Singapore, and is designated as 
the PDPC under section 5(1) of the PDPA. The PDPA governs the 
collection, use and disclosure of personal data by organisations in a 
manner that recognises both the right of individuals to protect their 
personal data and the need of organisations to collect, use or disclose 
personal data for purposes that a reasonable person would consider 
appropriate in the circumstances. 


2) The functions of the PDPC set out in section 6 of the PDPA include the 
following, amongst others: 


a) to administer and enforce the PDPA; 

b) to represent the Singapore Government internationally on matters 
relating to data protection; and 

c) to manage technical cooperation and exchange in the area of data 
protection with foreign data protection authorities and international 
or inter-governmental organisations. 


3) The PDPC’s regulatory and enforcement powers include the following, 
amongst others: 


a) conducting investigations and reviews in relation to organisations’ 
compliance with the PDPA; 

b) requiring individuals and organisations, by notice in writing, to 
produce to the PDPC information and/or documents which the PDPC 
considers relates to any matter relevant to any investigation; 

c) issuing advisory notices, warnings and directions to organisations to 
ensure their compliance with the PDPA; 

d) administering financial penalties and composition fines for 
contravention of the PDPA; 

e) registering its directions with the Courts and enforcing them as an 
Order of Court; and 

f) prosecuting criminal offences before the Courts. 
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PARAGRAPH 4 
NO SHARING OF PERSONAL DATA 


1) The Participants do not intend this MOU to cover any sharing of personal 
data by the Participants. 


2) If the Participants wish to share personal data, for example in relation 
to any cross border personal data incidents involving organisations in 
both jurisdictions, each Participant will consider compliance with its own 
applicable data protection laws, which may require the Participants to 
enter into a written agreement or arrangement regarding the sharing of 
such personal data. 


PARAGRAPH 5 
COSTS, EXPENSES AND RESOURCES 


Without prejudice to any separate written agreement or arrangement or 
unless otherwise mutually decided in writing by the Participants, each 
Participant will bear its own costs and expenses in implementing this MOU. 


PARAGRAPH 6 
CONFIDENTIAL INFORMATION SHARED BY THE COMMISSIONER 


1) Section 132(1) of the DPA 2018 states that the Commissioner can only 
share confidential information with others if there is lawful authority to 
do so. In this context, the information will be considered confidential if 
it has been obtained, or provided to, the Commissioner in the course of, 
or for the purposes of, discharging the Commissioner’s functions, relates 
to an identifiable individual or business, and is not otherwise available 
to the public from other sources. Section 132(2) of the DPA 2018 sets 
out the circumstances in which the Commissioner will have the lawful 
authority to share that confidential information with the PDPC. In 
particular, it will be lawful in circumstances where: 


a) The sharing was necessary for the purpose of discharging the 
Commissioner’s functions (section 132(2)(c));and 

b) The sharing was necessary in the public interest, taking into account 
the rights, freedoms and legitimate interests of any person (section 
132(2)(f)). 
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2) The Commissioner may therefore be permitted to share confidential 
information with the PDPC in circumstances where the Commissioner 
has determined that it is reasonably necessary to do so in furtherance 
of the Commissioner’s role and functions. In doing so, the Commissioner 
will identify the function of the PDPC with which that information may 
assist, and assess whether that function of the PDPC could reasonably 
be achieved without access to the particular information in question. 


3) The Commissioner may exercise the discretion to refuse, limit or impose 
conditions on a request for cooperation with the PDPC where (i) it is 
outside the scope of this MOU, or (ii) compliance with the request would 
breach the Commissioner’s legal responsibilities, including under the 
GDPR. 


PARAGRAPH 7 
CONFIDENTIAL INFORMATION SHARED BY PDPC 


1) Section 59 of the PDPA provides that the PDPC is required to preserve 
the secrecy of confidential information that may come into its knowledge 
in the performance of its functions under the PDPA. Section 59 further 
provides that the PDPC shall not communicate any such confidential 
information to any person except in so far as such communication 
(among others): 


a) is necessary for the performance of any such function or discharge of 
any such duty; 

b) is lawfully required by any Court; 

c) is necessary to comply with any provision of a cooperation agreement 
entered into under section 10 of the PDPA where the following 
conditions are satisfied: 


i) the information or documents requested by the foreign country 
are in the possession of the PDPC; 

ii) unless the Singapore Government otherwise allows, the foreign 
country undertakes to keep the information confidential at all 
times; and 

iii) disclosure of the information is not likely to be contrary to public 
interest; or 
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d) is lawfully required or permitted under the PDPA or any other written 
law. 


2) For the purposes of sharing confidential information with a foreign data 
protection body pursuant to a cooperation agreement, the PDPC shall 
not furnish any information unless it requires, and obtains from, that 
body an undertaking in writing that it will comply with the terms 
specified by the PDPC, including terms that correspond to the provisions 
of any written law concerning the disclosure of that information by the 
PDPC. 


PARAGRAPH 8 
CONFIDENTIALITY AND DATA BREACH REPORTING 


1) Appropriate security measures will be agreed to protect information 
transfers in accordance with the sensitivity of the information and any 
classification that is applied by the sender. 


2) Where confidential material is shared between the Participants it will be 
marked with the appropriate security classification. 


3) Where one Participant has received information from the other, it will 
consult with the other Participant before passing the information to a 
third party or using the information in an enforcement proceeding or 
court case. 


4) Where confidential material obtained from, or shared by, the originating 
Participant is wrongfully disclosed by the receiving Participant, the 
receiving Participant will bring this to the attention of the originating 
Participant without delay. 


PARAGRAPH 9 
REVIEW 


1) This MOU supersedes and replaces the Memorandum of Understanding 
between the Personal Data Protection Commission of the Republic of 
Singapore and the Information Commissioner for the United Kingdom 
for Cooperation in the Enforcement of Laws Protecting Personal Data 
signed by the Participants, at London, on 23 June 2019. 
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2) The Commissioner and the PDPC will monitor the implementation of this 
MOU and review it biennially, or sooner if either Participant so chooses. 


3) Any issues arising in relation to this MOU will be notified to the 
designated contact point of each Participant, as provided under 
Paragraph 12. 


PARAGRAPH 10 
AMENDMENTS 


Either Participant may make a request in writing for an amendment of any 
provision of this MOU. Any amendment which has been mutually agreed 
upon in writing by the Participants will come into effect on such date as 
may be mutually agreed. 


PARAGRAPH 11 
NON-BINDING EFFECT OF THIS MOU AND DISPUTE SETTLEMENT 


1) This MOU is a statement of intent that does not give rise to legally 
binding obligations on the part of either the Commissioner or the PDPC. 


2) The Participants will settle any disputes or disagreement relating to or 
arising from this MOU amicably through consultations and negotiations 
in good faith without reference to any international court, tribunal or 
other forum. 


PARAGRAPH 12 
DESIGNATED CONTACT POINTS 


1) The following persons will be the designated contact points for the 
Participants for matters under this MOU: 


Information Commissioner’s| Personal Data Protection 
Office Commission 


Name: Adam Stevens Name: Janice Tan 
Designation: Head of Intelligence | Designation: Director (Policy and 
Technology) 
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2) The above individuals will maintain an open dialogue between each other 
in order to ensure that the MOU remains effective and fit for purpose. 
They will also seek to identify any difficulties in the working relationship, 
and proactively seek to minimise the same. 


3) Each Participant may change its designated contact point for the 
purposes of this MOU upon notice in writing to the other Participant. 


Signed by the duly authorised representative of the Participants in duplicate 
in the English language, at Singapore and London on 10 June 2022. 


Signatories 


This MOU has been electronically signed by the Participants. The 
Participants hereby affirm that the electronic signatures have been 
affixed with the due authorisation of each Participant and that the 
Participants intend the electronic signatures to carry the same weight, 
effect and meaning as hand-signed wet-ink signatures. 


For and behalf of the Information 
Commissioner 


For and behalf of Personal Data 
Protection Commission 


Name: James Dipple-Johnstone 
Designation: Deputy Commissioner 


Date: 10 June 2022 


Name: Yeong Zee Kin 
Designation: Deputy Commissioner 


Date: 10 June 2022 
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